@byoky/core 0.2.0 → 0.3.0

package/dist/index.d.cts

@@ -12,6 +12,7 @@ interface OAuthConfig {
     authorizationUrl: string;
     tokenUrl: string;
     scopes: string[];
+    extraAuthParams?: Record<string, string>;
 }
 interface CredentialBase {
     id: string;
@@ -99,13 +100,23 @@ interface ProxyResponseError {
         message: string;
     };
 }
-type MessageType = 'BYOKY_CONNECT_REQUEST' | 'BYOKY_CONNECT_RESPONSE' | 'BYOKY_DISCONNECT' | 'BYOKY_PROXY_REQUEST' | 'BYOKY_PROXY_RESPONSE_META' | 'BYOKY_PROXY_RESPONSE_CHUNK' | 'BYOKY_PROXY_RESPONSE_DONE' | 'BYOKY_PROXY_RESPONSE_ERROR' | 'BYOKY_ERROR';
+type MessageType = 'BYOKY_CONNECT_REQUEST' | 'BYOKY_CONNECT_RESPONSE' | 'BYOKY_DISCONNECT' | 'BYOKY_PROXY_REQUEST' | 'BYOKY_PROXY_RESPONSE_META' | 'BYOKY_PROXY_RESPONSE_CHUNK' | 'BYOKY_PROXY_RESPONSE_DONE' | 'BYOKY_PROXY_RESPONSE_ERROR' | 'BYOKY_SESSION_STATUS' | 'BYOKY_SESSION_STATUS_RESPONSE' | 'BYOKY_SESSION_USAGE' | 'BYOKY_SESSION_USAGE_RESPONSE' | 'BYOKY_SESSION_REVOKED' | 'BYOKY_ERROR';
 interface ByokyMessage {
     type: MessageType;
     id: string;
     requestId?: string;
     payload: unknown;
 }
+interface SessionUsage {
+    requests: number;
+    inputTokens: number;
+    outputTokens: number;
+    byProvider: Record<string, {
+        requests: number;
+        inputTokens: number;
+        outputTokens: number;
+    }>;
+}
 declare enum ByokyErrorCode {
     WALLET_NOT_INSTALLED = "WALLET_NOT_INSTALLED",
     USER_REJECTED = "USER_REJECTED",
@@ -116,6 +127,8 @@ declare enum ByokyErrorCode {
     INVALID_KEY = "INVALID_KEY",
     TOKEN_EXPIRED = "TOKEN_EXPIRED",
     PROXY_ERROR = "PROXY_ERROR",
+    RELAY_CONNECTION_FAILED = "RELAY_CONNECTION_FAILED",
+    RELAY_DISCONNECTED = "RELAY_DISCONNECTED",
     UNKNOWN = "UNKNOWN"
 }
 interface RequestLogEntry {
@@ -128,6 +141,9 @@ interface RequestLogEntry {
     status: number;
     timestamp: number;
     error?: string;
+    inputTokens?: number;
+    outputTokens?: number;
+    model?: string;
 }
 interface PendingApproval {
     id: string;
@@ -136,6 +152,15 @@ interface PendingApproval {
     providers: ProviderRequirement[];
     timestamp: number;
 }
+interface TrustedSite {
+    origin: string;
+    trustedAt: number;
+}
+interface TokenAllowance {
+    origin: string;
+    totalLimit?: number;
+    providerLimits?: Record<string, number>;
+}
 
 declare function deriveKey(password: string, salt: Uint8Array): Promise<CryptoKey>;
 declare function encrypt(plaintext: string, password: string): Promise<string>;
@@ -156,6 +181,8 @@ declare class ByokyError extends Error {
     static quotaExceeded(providerId: string): ByokyError;
     static invalidKey(providerId: string): ByokyError;
     static tokenExpired(providerId: string): ByokyError;
+    static relayConnectionFailed(reason?: string): ByokyError;
+    static relayDisconnected(): ByokyError;
 }
 
 declare const BYOKY_PROVIDER_KEY = "__byoky__";
@@ -170,4 +197,124 @@ declare const PROVIDERS: Record<string, ProviderConfig>;
 declare function getProvider(id: string): ProviderConfig | undefined;
 declare function getProviderIds(): string[];
 
-export { type ApiKeyCredential, type AuthMethod, BYOKY_MESSAGE_PREFIX, BYOKY_PROVIDER_KEY, ByokyError, ByokyErrorCode, type ByokyMessage, type ConnectRequest, type ConnectResponse, type Credential, type CredentialBase, type CredentialMeta, type MessageType, type OAuthConfig, type OAuthCredential, PROVIDERS, type PendingApproval, type ProviderConfig, type ProviderId, type ProviderRequirement, type ProxyRequest, type ProxyResponseChunk, type ProxyResponseError, type ProxyResponseMeta, type RequestLogEntry, type Session, type SessionProvider, createConnectRequest, createConnectResponse, createErrorMessage, createMessage, decrypt, deriveKey, encrypt, getProvider, getProviderIds, hashPassword, isByokyMessage, maskKey, verifyPassword };
+/** Minimal WebSocket interface — compatible with browser WebSocket and `ws` library. */
+interface WebSocketLike {
+    readonly readyState: number;
+    send(data: string): void;
+    close(code?: number, reason?: string): void;
+    onopen: ((event: unknown) => void) | null;
+    onmessage: ((event: {
+        data: unknown;
+    }) => void) | null;
+    onclose: ((event: {
+        code: number;
+        reason: string;
+    }) => void) | null;
+    onerror: ((event: unknown) => void) | null;
+}
+declare const WS_READY_STATE: {
+    readonly CONNECTING: 0;
+    readonly OPEN: 1;
+    readonly CLOSING: 2;
+    readonly CLOSED: 3;
+};
+interface RelayHello {
+    type: 'relay:hello';
+    sessionId: string;
+    providers: Record<string, {
+        available: boolean;
+        authMethod: AuthMethod;
+    }>;
+}
+interface RelayRequest {
+    type: 'relay:request';
+    requestId: string;
+    providerId: string;
+    url: string;
+    method: string;
+    headers: Record<string, string>;
+    body?: string;
+}
+interface RelayResponseMeta {
+    type: 'relay:response:meta';
+    requestId: string;
+    status: number;
+    statusText: string;
+    headers: Record<string, string>;
+}
+interface RelayResponseChunk {
+    type: 'relay:response:chunk';
+    requestId: string;
+    chunk: string;
+}
+interface RelayResponseDone {
+    type: 'relay:response:done';
+    requestId: string;
+}
+interface RelayResponseError {
+    type: 'relay:response:error';
+    requestId: string;
+    error: {
+        code: string;
+        message: string;
+    };
+}
+interface RelayPing {
+    type: 'relay:ping';
+    ts: number;
+}
+interface RelayPong {
+    type: 'relay:pong';
+    ts: number;
+}
+type RelayMessage = RelayHello | RelayRequest | RelayResponseMeta | RelayResponseChunk | RelayResponseDone | RelayResponseError | RelayPing | RelayPong;
+declare function parseRelayMessage(data: unknown): RelayMessage | null;
+declare function sendRelayMessage(ws: WebSocketLike, msg: RelayMessage): void;
+
+interface PasswordStrength {
+    score: 0 | 1 | 2 | 3 | 4;
+    label: 'Too weak' | 'Weak' | 'Fair' | 'Strong' | 'Very strong';
+    feedback: string[];
+}
+declare function checkPasswordStrength(password: string): PasswordStrength;
+declare const MIN_PASSWORD_LENGTH = 12;
+
+/**
+ * Validate that a proxy request URL targets the registered provider's base URL.
+ * Prevents API key exfiltration by rejecting requests to arbitrary domains.
+ */
+declare function validateProxyUrl(providerId: string, url: string): boolean;
+/**
+ * Build the real auth headers for a provider API request.
+ * Strips any fake session-key headers and injects the real API key.
+ */
+declare function buildHeaders(providerId: string, requestHeaders: Record<string, string>, apiKey: string, authMethod?: string): Record<string, string>;
+/**
+ * Parse the model name from a request body (JSON).
+ */
+declare function parseModel(body?: string): string | undefined;
+/**
+ * Parse token usage from a provider API response body.
+ * Handles both regular JSON responses and SSE streaming responses.
+ */
+declare function parseUsage(providerId: string, body: string): {
+    inputTokens: number;
+    outputTokens: number;
+} | undefined;
+/**
+ * Extract token usage from a parsed provider response object.
+ */
+declare function extractUsageFromParsed(providerId: string, parsed: Record<string, unknown>): {
+    inputTokens: number;
+    outputTokens: number;
+} | undefined;
+/**
+ * Check whether a request is allowed given token allowances and usage history.
+ * Pure computation — no storage access.
+ */
+declare function computeAllowanceCheck(allowance: TokenAllowance | undefined, entries: Pick<RequestLogEntry, 'providerId' | 'inputTokens' | 'outputTokens'>[], providerId: string): {
+    allowed: boolean;
+    reason?: string;
+};
+
+export { type ApiKeyCredential, type AuthMethod, BYOKY_MESSAGE_PREFIX, BYOKY_PROVIDER_KEY, ByokyError, ByokyErrorCode, type ByokyMessage, type ConnectRequest, type ConnectResponse, type Credential, type CredentialBase, type CredentialMeta, MIN_PASSWORD_LENGTH, type MessageType, type OAuthConfig, type OAuthCredential, PROVIDERS, type PasswordStrength, type PendingApproval, type ProviderConfig, type ProviderId, type ProviderRequirement, type ProxyRequest, type ProxyResponseChunk, type ProxyResponseError, type ProxyResponseMeta, type RelayHello, type RelayMessage, type RelayPing, type RelayPong, type RelayRequest, type RelayResponseChunk, type RelayResponseDone, type RelayResponseError, type RelayResponseMeta, type RequestLogEntry, type Session, type SessionProvider, type SessionUsage, type TokenAllowance, type TrustedSite, WS_READY_STATE, type WebSocketLike, buildHeaders, checkPasswordStrength, computeAllowanceCheck, createConnectRequest, createConnectResponse, createErrorMessage, createMessage, decrypt, deriveKey, encrypt, extractUsageFromParsed, getProvider, getProviderIds, hashPassword, isByokyMessage, maskKey, parseModel, parseRelayMessage, parseUsage, sendRelayMessage, validateProxyUrl, verifyPassword };

package/dist/index.d.ts

@@ -12,6 +12,7 @@ interface OAuthConfig {
     authorizationUrl: string;
     tokenUrl: string;
     scopes: string[];
+    extraAuthParams?: Record<string, string>;
 }
 interface CredentialBase {
     id: string;
@@ -99,13 +100,23 @@ interface ProxyResponseError {
         message: string;
     };
 }
-type MessageType = 'BYOKY_CONNECT_REQUEST' | 'BYOKY_CONNECT_RESPONSE' | 'BYOKY_DISCONNECT' | 'BYOKY_PROXY_REQUEST' | 'BYOKY_PROXY_RESPONSE_META' | 'BYOKY_PROXY_RESPONSE_CHUNK' | 'BYOKY_PROXY_RESPONSE_DONE' | 'BYOKY_PROXY_RESPONSE_ERROR' | 'BYOKY_ERROR';
+type MessageType = 'BYOKY_CONNECT_REQUEST' | 'BYOKY_CONNECT_RESPONSE' | 'BYOKY_DISCONNECT' | 'BYOKY_PROXY_REQUEST' | 'BYOKY_PROXY_RESPONSE_META' | 'BYOKY_PROXY_RESPONSE_CHUNK' | 'BYOKY_PROXY_RESPONSE_DONE' | 'BYOKY_PROXY_RESPONSE_ERROR' | 'BYOKY_SESSION_STATUS' | 'BYOKY_SESSION_STATUS_RESPONSE' | 'BYOKY_SESSION_USAGE' | 'BYOKY_SESSION_USAGE_RESPONSE' | 'BYOKY_SESSION_REVOKED' | 'BYOKY_ERROR';
 interface ByokyMessage {
     type: MessageType;
     id: string;
     requestId?: string;
     payload: unknown;
 }
+interface SessionUsage {
+    requests: number;
+    inputTokens: number;
+    outputTokens: number;
+    byProvider: Record<string, {
+        requests: number;
+        inputTokens: number;
+        outputTokens: number;
+    }>;
+}
 declare enum ByokyErrorCode {
     WALLET_NOT_INSTALLED = "WALLET_NOT_INSTALLED",
     USER_REJECTED = "USER_REJECTED",
@@ -116,6 +127,8 @@ declare enum ByokyErrorCode {
     INVALID_KEY = "INVALID_KEY",
     TOKEN_EXPIRED = "TOKEN_EXPIRED",
     PROXY_ERROR = "PROXY_ERROR",
+    RELAY_CONNECTION_FAILED = "RELAY_CONNECTION_FAILED",
+    RELAY_DISCONNECTED = "RELAY_DISCONNECTED",
     UNKNOWN = "UNKNOWN"
 }
 interface RequestLogEntry {
@@ -128,6 +141,9 @@ interface RequestLogEntry {
     status: number;
     timestamp: number;
     error?: string;
+    inputTokens?: number;
+    outputTokens?: number;
+    model?: string;
 }
 interface PendingApproval {
     id: string;
@@ -136,6 +152,15 @@ interface PendingApproval {
     providers: ProviderRequirement[];
     timestamp: number;
 }
+interface TrustedSite {
+    origin: string;
+    trustedAt: number;
+}
+interface TokenAllowance {
+    origin: string;
+    totalLimit?: number;
+    providerLimits?: Record<string, number>;
+}
 
 declare function deriveKey(password: string, salt: Uint8Array): Promise<CryptoKey>;
 declare function encrypt(plaintext: string, password: string): Promise<string>;
@@ -156,6 +181,8 @@ declare class ByokyError extends Error {
     static quotaExceeded(providerId: string): ByokyError;
     static invalidKey(providerId: string): ByokyError;
     static tokenExpired(providerId: string): ByokyError;
+    static relayConnectionFailed(reason?: string): ByokyError;
+    static relayDisconnected(): ByokyError;
 }
 
 declare const BYOKY_PROVIDER_KEY = "__byoky__";
@@ -170,4 +197,124 @@ declare const PROVIDERS: Record<string, ProviderConfig>;
 declare function getProvider(id: string): ProviderConfig | undefined;
 declare function getProviderIds(): string[];
 
-export { type ApiKeyCredential, type AuthMethod, BYOKY_MESSAGE_PREFIX, BYOKY_PROVIDER_KEY, ByokyError, ByokyErrorCode, type ByokyMessage, type ConnectRequest, type ConnectResponse, type Credential, type CredentialBase, type CredentialMeta, type MessageType, type OAuthConfig, type OAuthCredential, PROVIDERS, type PendingApproval, type ProviderConfig, type ProviderId, type ProviderRequirement, type ProxyRequest, type ProxyResponseChunk, type ProxyResponseError, type ProxyResponseMeta, type RequestLogEntry, type Session, type SessionProvider, createConnectRequest, createConnectResponse, createErrorMessage, createMessage, decrypt, deriveKey, encrypt, getProvider, getProviderIds, hashPassword, isByokyMessage, maskKey, verifyPassword };
+/** Minimal WebSocket interface — compatible with browser WebSocket and `ws` library. */
+interface WebSocketLike {
+    readonly readyState: number;
+    send(data: string): void;
+    close(code?: number, reason?: string): void;
+    onopen: ((event: unknown) => void) | null;
+    onmessage: ((event: {
+        data: unknown;
+    }) => void) | null;
+    onclose: ((event: {
+        code: number;
+        reason: string;
+    }) => void) | null;
+    onerror: ((event: unknown) => void) | null;
+}
+declare const WS_READY_STATE: {
+    readonly CONNECTING: 0;
+    readonly OPEN: 1;
+    readonly CLOSING: 2;
+    readonly CLOSED: 3;
+};
+interface RelayHello {
+    type: 'relay:hello';
+    sessionId: string;
+    providers: Record<string, {
+        available: boolean;
+        authMethod: AuthMethod;
+    }>;
+}
+interface RelayRequest {
+    type: 'relay:request';
+    requestId: string;
+    providerId: string;
+    url: string;
+    method: string;
+    headers: Record<string, string>;
+    body?: string;
+}
+interface RelayResponseMeta {
+    type: 'relay:response:meta';
+    requestId: string;
+    status: number;
+    statusText: string;
+    headers: Record<string, string>;
+}
+interface RelayResponseChunk {
+    type: 'relay:response:chunk';
+    requestId: string;
+    chunk: string;
+}
+interface RelayResponseDone {
+    type: 'relay:response:done';
+    requestId: string;
+}
+interface RelayResponseError {
+    type: 'relay:response:error';
+    requestId: string;
+    error: {
+        code: string;
+        message: string;
+    };
+}
+interface RelayPing {
+    type: 'relay:ping';
+    ts: number;
+}
+interface RelayPong {
+    type: 'relay:pong';
+    ts: number;
+}
+type RelayMessage = RelayHello | RelayRequest | RelayResponseMeta | RelayResponseChunk | RelayResponseDone | RelayResponseError | RelayPing | RelayPong;
+declare function parseRelayMessage(data: unknown): RelayMessage | null;
+declare function sendRelayMessage(ws: WebSocketLike, msg: RelayMessage): void;
+
+interface PasswordStrength {
+    score: 0 | 1 | 2 | 3 | 4;
+    label: 'Too weak' | 'Weak' | 'Fair' | 'Strong' | 'Very strong';
+    feedback: string[];
+}
+declare function checkPasswordStrength(password: string): PasswordStrength;
+declare const MIN_PASSWORD_LENGTH = 12;
+
+/**
+ * Validate that a proxy request URL targets the registered provider's base URL.
+ * Prevents API key exfiltration by rejecting requests to arbitrary domains.
+ */
+declare function validateProxyUrl(providerId: string, url: string): boolean;
+/**
+ * Build the real auth headers for a provider API request.
+ * Strips any fake session-key headers and injects the real API key.
+ */
+declare function buildHeaders(providerId: string, requestHeaders: Record<string, string>, apiKey: string, authMethod?: string): Record<string, string>;
+/**
+ * Parse the model name from a request body (JSON).
+ */
+declare function parseModel(body?: string): string | undefined;
+/**
+ * Parse token usage from a provider API response body.
+ * Handles both regular JSON responses and SSE streaming responses.
+ */
+declare function parseUsage(providerId: string, body: string): {
+    inputTokens: number;
+    outputTokens: number;
+} | undefined;
+/**
+ * Extract token usage from a parsed provider response object.
+ */
+declare function extractUsageFromParsed(providerId: string, parsed: Record<string, unknown>): {
+    inputTokens: number;
+    outputTokens: number;
+} | undefined;
+/**
+ * Check whether a request is allowed given token allowances and usage history.
+ * Pure computation — no storage access.
+ */
+declare function computeAllowanceCheck(allowance: TokenAllowance | undefined, entries: Pick<RequestLogEntry, 'providerId' | 'inputTokens' | 'outputTokens'>[], providerId: string): {
+    allowed: boolean;
+    reason?: string;
+};
+
+export { type ApiKeyCredential, type AuthMethod, BYOKY_MESSAGE_PREFIX, BYOKY_PROVIDER_KEY, ByokyError, ByokyErrorCode, type ByokyMessage, type ConnectRequest, type ConnectResponse, type Credential, type CredentialBase, type CredentialMeta, MIN_PASSWORD_LENGTH, type MessageType, type OAuthConfig, type OAuthCredential, PROVIDERS, type PasswordStrength, type PendingApproval, type ProviderConfig, type ProviderId, type ProviderRequirement, type ProxyRequest, type ProxyResponseChunk, type ProxyResponseError, type ProxyResponseMeta, type RelayHello, type RelayMessage, type RelayPing, type RelayPong, type RelayRequest, type RelayResponseChunk, type RelayResponseDone, type RelayResponseError, type RelayResponseMeta, type RequestLogEntry, type Session, type SessionProvider, type SessionUsage, type TokenAllowance, type TrustedSite, WS_READY_STATE, type WebSocketLike, buildHeaders, checkPasswordStrength, computeAllowanceCheck, createConnectRequest, createConnectResponse, createErrorMessage, createMessage, decrypt, deriveKey, encrypt, extractUsageFromParsed, getProvider, getProviderIds, hashPassword, isByokyMessage, maskKey, parseModel, parseRelayMessage, parseUsage, sendRelayMessage, validateProxyUrl, verifyPassword };